What is claimed: 

1 1 . A method of improving intrusion detection in a computing network, comprising steps of: 

2 defining intrusion suspicion levels for inbound communications destined for a computing 

3 device on the computing network; and 

4 using the defined intrusion suspicion levels to determine if a particular inbound 

5 communication destined for the computing device should be treated as an intrusion event. 

The method according to Claim 1, further comprising steps of: 
defining a sensitivity level for filtering intrusion events; and 
determining the intrusion suspicion level of the particular inbound communication; 
wherein the using step compares the sensitivity level to the determined intrusion suspicion 
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3. The method according to Claim 2, wherein the determining step further comprises 

B 

Ij comparing conditions in the computing device to predetermined conditions which signal a 
3 potential intrusion. 

1 4. The method according to Claim 3, wherein the conditions in the computing device 

2 comprise contents of the particular inbound communication. 
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5. The method according to Claim 4, wherein the conditions in the computing device further 
comprise a protocol state of a protocol stack which processes the particular inbound 
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communication. 



1 6. The method according to Claim 1 , further comprising the step of taking one or more 

2 defensive actions when the using step determines that the particular inbound communication 

3 should be treated as an intrusion event. 



1 7. The method according to Claim 6, wherein the defensive actions are determined by 

2 consulting intrusion detection policy information. 
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5: 8. The method according to Claim 6, wherein the intrusion detection policy information is 
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S ; stored in a network-accessible repository. 
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CD 9. The method according to Claim 1 , wherein the using step further comprises comparing the 
W particular inbound communication to one or more attack signatures. 
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1 10. The method according to Claim 9, wherein at least one of the attack signatures is a class 

2 signature representing a class of attacks. 



1 11. The method according to Claim 9, wherein the attack signatures are specified as 

2 conditions in intrusion detection rules, and wherein each of the intrusion detection rules further 

3 comprises one or more actions that are to be taken when the using step determines that the 

4 particular inbound communication should be treated as an intrusion event. 
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1 12. The method according to Claim 1 , wherein the using step operates in the computing 

2 device for which the particular inbound communication is destined. 

1 13. The method according to Claim 12, wherein the using step operates within layer-specific 

2 intrusion detection logic executing in a protocol stack running on the computing device. 

1 14. The method according to Claim 1 , wherein the using step operates in a network device 

2, which analyzes communications directed to the computing device for which the particular inbound 

j|: communication is destined. 
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t 1 15. The method according to Claim 1 , further comprising steps of: 

yy 

% for each of a plurality of potential intrusion events, defining a set of one or more 

hj conditions which describe the potential intrusion event; 

CD 

3: associating a sensitivity level with each of the sets of conditions; and 

iy 

5 determining a suspicion level of the particular inbound communication; 

6 wherein the using step determines that the particular inbound communication should be 

7 treated as an intrusion event when conditions pertaining to the particular inbound communication 

8 match a selected one of the sets of conditions and the determined suspicion level maps to the 

9 sensitivity level associated with the selected set of conditions. 

1 16. A method for improving intrusion detection in a computing network, comprising steps of: 
RSW920020011US1 -58- 



2 classifying an inbound communication destined for a computing device on the computing 

3 network as to an intrusion class which is applicable to the inbound communication; and 

4 determining whether the applicable intrusion class has one or more associated intrusion 

5 detection policy specifications, and if so, performing actions specified in the one or more 

6 associated intrusion detection policy specifications. 



1 1 7. The method according to Claim 1 6, wherein the actions include writing a record 

2 describing the inbound communication to a file, wherein the record includes the applicable 

p.. intrusion class. 
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9D 18. The method according to Claim 1 7, wherein the record includes an identification of a code 
5£ element where the inbound communication was processed. 
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j| j 1 9. The method according to Claim 1 8, further comprising the step of: 
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2D determining, for each of the records of the file, whether the intrusion class and 

fU 

3 identification of the code element identify a specific attack, and if so, creating an analysis record 

4 for the identified specific attack. 

1 20. The method according to Claim 1 8, further comprising the step of: 

2 determining, for each of the records of the file, whether the intrusion class and 

3 identification of the code element identify a specific attack, and if not, performing steps of: 

4 locating packet data pertaining to the record; 
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5 t comparing the located packet data to attack signatures; and 

6 if a matching attack signature is located by the comparing step, creating an analysis 

7 record for a specific attack which corresponds to the matching attack signature, and otherwise 

8 creating an analysis record for the intrusion class. 

1 21. The method according to Claim 1 6, wherein the classifying step further comprises locating 

2 an attack signature which matches the inbound communication, and the determining step further 

3 comprises using one or more keywords which are associated with the located attack signature to 
ji retrieve the associated intrusion detection policy specifications. 

J 1 22. A system for improving intrusion detection in a computing network, comprising: 
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% means for defining intrusion suspicion levels for inbound communications destined for a 

£ 

|jh computing device on the computing network; and 
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PU means for using the defined intrusion suspicion levels to determine if a particular inbound 

Hi 

fP communication destined for the computing device should be treated as an intrusion event. 
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1 23. The system according to Claim 22, further comprising: 

2 means for defining a sensitivity level for filtering intrusion events; and 

3 means for determining the intrusion suspicion level of the particular inbound 

4 communication; 

5 wherein the means for using the defined intrusion further comprises means for comparing 

6 the sensitivity level to the determined intrusion suspicion level. 
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1 24. The system according to Claim 23 , wherein the means for determining further comprises 

2 means for comparing conditions in the computing device to predetermined conditions which 

3 signal a potential intrusion. 

1 25. The system according to Claim 22, further comprising means for taking one or more 

2 defensive actions when the means for using determines that the particular inbound communication 

3 should be treated as an intrusion event, wherein the defensive actions are determined by 
*k consulting intrusion detection policy information. 
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HP 26. The system according to Claim 22, wherein the means for using further comprises means 

m 

% for comparing the particular inbound communication to one or more attack signatures, wherein 

|h the attack signatures are specified as conditions in intrusion detection rules, and wherein each of 

p; 

fll the intrusion detection rules further comprises one or more actions that are to be taken when the 

fP means for using determines that the particular inbound communication should be treated as an 

irS : 

6 intrusion event. 

1 27. The system according to Claim 22, further comprising: 

2 for each of a plurality of potential intrusion events, means for defining a set of one or more 

3 conditions which describe the potential intrusion event; 

4 means for associating a sensitivity level with each of the sets of conditions; and 

5 means for determining a suspicion level of the particular inbound communication; 
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6 wherein the means for using determines that the particular inbound communication should 

7 be treated as an intrusion event when conditions pertaining to the particular inbound 

8 communication match a selected one of the sets of conditions and the determined suspicion level 

9 maps to the sensitivity level associated with the selected set of conditions. 

1 28. A system for improving intrusion detection in a computing network, comprising: 

2 means for classifying an inbound communication destined for a computing device on the 

3 computing network as to an intrusion class which is applicable to the inbound communication; 
A and 

jf; means for determining whether the applicable intrusion class has one or more associated 

if! 

l£ intrusion detection policy specifications, and if so, performing actions specified in the one or more 

on 

¥ associated intrusion detection policy specifications. 
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fij 29. The system according to Claim 28, wherein the actions include writing a record describing 

W 

6i the inbound communication to a file, wherein the record includes the applicable intrusion class and 

3 an identification of a code element where the inbound communication was processed. 

1 30. The system according to Claim 29, further comprising: 

2 means for determining, for each of the records of the file, whether the intrusion class and 

3 identification of the code element identify a specific attack, and if so, creating an analysis record 

4 for the identified specific attack, and if not, means for: 

5 locating packet data pertaining to the record; 
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6 x comparing the located packet data to attack signatures; and 

7 if a matching attack signature is located by the means for comparing, creating an 

8 analysis record for a specific attack which corresponds to the matching attack signature, and 

9 otherwise creating an analysis record for the intrusion class. 

1 31. The system according to Claim 28, wherein the means for classifying further comprises 

2 means for locating an attack signature which matches the inbound communication, and the means 

3 for determining further comprises means for using one or more keywords which are associated 

% with the located attack signature to retrieve the associated intrusion detection policy 
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jSFj specifications. 
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€ 1 32. A computer program product for improving intrusion detection in a computing network, 

in 8 : 

2 the computer program product embodied on one or more computer-readable media and 

I 

gh composing: 

j|i computer-readable program code means for defining intrusion suspicion levels for inbound 

5 communications destined for a computing device on the computing network; and 

6 computer-readable program code means for using the defined intrusion suspicion levels to 

7 determine if a particular inbound communication destined for the computing device should be 

8 treated as an intrusion event. 

1 33. The computer program product according to Claim 32, further comprising: 

2 computer-readable program code means for defining a sensitivity level for filtering 
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3 intrusion events; a#d 

4 computer-readable program code means for determining the intrusion suspicion level of 

5 the particular inbound communication; 

6 wherein the computer-readable program code means for using compares the sensitivity 

7 level to the determined intrusion suspicion level 

1 34. The computer program product according to Claim 33, wherein the computer-readable 

2 program code means for determining further comprises computer-readable program code means 

3 for comparing conditions in the computing device to predetermined conditions which signal a 
p! potential intrusion, the conditions in the computing device comprising contents of the particular 
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jjjh inbound communication, 
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4 35. The computer program product according to Claim 33, wherein the computer-readable 
If ! program code means for determining further comprises computer-readable program code means 
jjlji for comparing conditions in the computing device to predetermined conditions which signal a 

4 potential intrusion, the conditions in the computing device comprising contents of the particular 

5 inbound communication and a protocol state of a protocol stack which processes the particular 

6 inbound communication. 

1 36. The computer program product according to Claim 32, further comprising computer- 

2 readable program code means for taking one or more defensive actions when the computer- 

3 readable program code means for using determines that the particular inbound communication 
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should be treated a$ an intrusion event, wherein the defensive actions are determined by 
consulting intrusion detection policy information stored in a policy repository. 



1 37. The computer program product according to Claim 1 , wherein the computer-readable 

2 program code means for using further comprises computer-readable program code means for 

3 comparing the particular inbound communication to one or more attack signatures, wherein at 

4 least one of the attack signatures is a class signature representing a class of attacks. 

1 38. The computer program product according to Claim 32, wherein the computer-readable 

2 program code means for using operates in the computing device for which the particular inbound 
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X communication is destined. 
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|h 39. The computer program product according to Claim 32, wherein the computer-readable 

W program code means for using operates in a network device which analyzes communications 

m 

|<; directed to the computing device for which the particular inbound communication is destined. 

1 40. The computer program product according to Claim 32, further comprising: 

2 computer-readable program code means for specifying, for each of a plurality of potential 

3 intrusion events, a set of one or more conditions which describe the potential intrusion event; 

4 computer-readable program code means for associating a sensitivity level with each of the 

5 sets of conditions; and 

6 computer-readable program code means for determining a suspicion level of the particular 
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7 inbound communication; 

8 wherein the computer-readable program code means for using determines that the 

9 particular inbound communication should be treated as an intrusion event when conditions 

10 pertaining to the particular inbound communication match a selected one of the sets of conditions 

1 1 and the determined suspicion level maps to the sensitivity level associated with the selected set of 

12 conditions. 

1 41 . A computer program product for improving intrusion detection in a computing network, 

2 the computer program product embodied on one or more computer-readable media and 

SKI. 

j£i comprising: 

5 fi 

ft: computer-readable program code means for classifying an inbound communication 

W destined for a computing device on the computing network as to an intrusion class which is 

yp 

6 applicable to the inbound communication; and 
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computer-readable program code means for determining whether the applicable intrusion 

% class has one or more associated intrusion detection policy specifications, and if so, performing 

9 actions specified in the one or more associated intrusion detection policy specifications, 

1 42. The computer program product according to Claim 4 1 , wherein the actions include 

2 writing a record describing the inbound communication to a file, wherein the record includes the 

3 applicable intrusion class and an identification of a code element where the inbound 

4 communication was processed. 
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1 43. The pomputer program product according to Claim 42, further comprising: 

2 computer-readable program code means for determining, for each of the records of the 

3 file, whether the intrusion class and identification of the code element identify a specific attack, 

4 and if so, computer-readable program code means for creating an analysis record for the identified 

5 specific attack, and if not, computer-readable program code means for: 

6 locating packet data pertaining to the record; 

7 comparing the located packet data to attack signatures; and 

8 if a matching attack signature is located by the computer-readable program code 
|9 ? means for comparing, creating an analysis record for a specific attack which corresponds to the 
l|| matching attack signature, and otherwise creating an analysis record for the intrusion class. 
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44. The computer program product according to Claim 41 , wherein the computer-readable 
p., program code means for classifying further comprises computer-readable program code means for 

locating an attack signature which matches the inbound communication, and the computer- 
Si readable program code means for determining further comprises computer-readable program code 
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5 means for using one or more keywords which are associated with the located attack signature to 

6 retrieve the associated intrusion detection policy specifications. 
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